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Abstract —Real-time signal processing applications are in¬ 
creasingly focused on analyzing privacy-sensitive data obtained 
from individuals, and this data might need to be processed 
through model-based estimators to produce accurate statistics. 
Moreover, the models used in population dynamics studies, e.g., 
in epidemiology or sociology, are often necessarily nonlinear. 
This paper presents a design approach for nonlinear privacy¬ 
preserving model-based observers, relying on contraction anal¬ 
ysis to give differential privacy guarantees to the individuals 
providing the input data. The approach is illustrated in two 
applications: estimation of edge formation probabilities in a 
dynamic social network, and syndromic surveillance relying on 
an epidemiological model. 

I. Introduction 

The development of many recent technological systems, 
such as location-based services, the “Internet of Things”, 
or electronic biosurveillance systems, relies on the analysis 
of personal data originating from generally privacy-sensitive 
participants. In many cases, the system is only interested 
in producing aggregate statistics from these individual data 
streams, e.g., a dynamic map showing road traffic conditions 
or an estimate of power consumption in a neighborhood, but 
even though aggregation helps, significant privacy breaches 
cannot be ruled out a priori [1]—[3]. This is mainly due 
to the possibility of correlating the system’s output with 
other publicly available data. The integration of privacy¬ 
preserving mechanisms with formal guarantees into such 
systems would help alleviate some of the justified concerns 
of the participants and encourage wider adoption. 

While various information theoretic definitions can be 
given to the concept of privacy and are potentially applicable 
to the processing of data streams in real-time [4], we focus 
on the notion of differential privacy, which originates from 
the database and cryptography litterature [5], A differentially 
private mechanism publishes information about a dataset in a 
way that is not too sensitive to a single individual’s data. As 
a result, it becomes difficult to make inferences about that 
individual from the published output. Previous work on the 
design of linear filters with differential privacy guarantees 
includes [6]—[ 10]. The problem studied in this paper is 
that of designing privacy-preserving nonlinear model-based 
estimators, which to the best of our knowledge has not been 
studied in a general setting before. 

A convenient way of achieving differential privacy for an 
estimator is to bound its so-called sensitivity [5], a form of 
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incremental system gain between the private input signal and 
the published output [9], Various tools can be used for this 
purpose, and here we rely on contraction analysis, see, e.g., 
[11]—[14] and the references therein. 

The rest of the paper is divided as follows. Section [II] 
presents the problem statement formally, provides a brief in¬ 
troduction to the notion of differential privacy, and describes 
privacy-preserving mechanisms with input and output pertur¬ 
bation. In Section m we develop a type of “vanishing-input 
vanishing-output” property of contracting systems similar to 
the one presented in [12] but stated here for discrete-time sys¬ 
tems. This result is then applied in Section IV to the design 
of differentially private observers with output perturbation. 
The methodology is illustrated via two examples. In Section 
[V| we consider the problem of estimating link formation 
probabilities in a dynamic social network, with a nonlinear 
measurement model. In Section [Vi] we consider a nonlinear 
epidemiological model and design a differentially private 
estimator of the proportion of susceptible and infectious 
people in a population, assuming a syndromic data source. 

Notation: In this paper, N := {0,1,...} denotes the set of 
non-negative integers. For T : X —► Y a linear map between 
finite dimensional vector spaces X and Y equipped with the 
norms | • |x and | • |y respectively, we denote by ||T||x,y its 
induced norm. If X = Y and both spaces are equipped with 
the same norm | • |x, we simply write || • ||x- 


II. Problem Statement 
A. Observer Design 

Suppose that we can measure a discrete-time signal 
{yk}k> o for which we have a state-space model of the form 

Xk+l = fk(Xk) + w k (1) 

Vk = 9 k(x k ) +v k , (2) 

where w k ,Vk are noise signals capturing the uncertainty in 
the model, x k € X := R" for some n, and y k € Y := R m 
for some m. The goal is to reconstruct from y k an estimate 
of the state Xk that we denote z k , be., we want to build a 
state observer, which we assume in this paper to be of the 
simple Luenberger-type form 

Zk+i = fk{zk) + L k (y k - g k {z k )), (3) 

where L k is a sequence of gain matrices to determine. 

In the applications discussed later in the paper, the signal 
y k is collected from privacy-sensitive individuals, hence 
needs to be protected. On the other hand, the model Q. 
i.e., the functions f k , g k , is assumed to be publicly 



available. The data aggregator wishes to release the signal Zk 
produced by (|3]i publicly as well. However, since zi, depends 
on the sensitive signal yr, we will only allow the release 
of an approximate version of Zk carrying certain privacy 
guarantees detailed formally in the next subsection. We will 
later see that the gain matrices need to be carefully chosen 
to balance accuracy or speed of the observer on the one hand 
and the level of privacy offered on the other hand. 

Remark 1: Note that we do not provide here nor use in 
our designs any model of the noise signals Wk and vk, 
which are simply used as a device to explain the discrepancy 
between any measured signal yr and the signal predicted by 
a deterministic model. 

11. Differential Privacy 

A differentially private version of the observer (|3]i should 
produce an output that is not too sensitive to certain vari¬ 
ations associated to an individual’s data in the input signal 
yk- The formal definition of differential privacy is given in 
Definition [I] below. An individual’s signal could correspond 
to a specific component of yk, or yk could already represent 
an signal aggregated from many individuals [9], We specify 
first the type of variations in yk that we want to make hard 
to detect by defining a symmetric binary relation, denoted 
Adj, on the space of datasets D of interest, here the space of 
signals y. We consider here the following adjacency relation 

Adj(t/,y) iff (4) 

Vk = Vk, k < k 0 

|Vk - Vk\\ < Ka k ~ k °, k > ko, 

where | • |y is a specified norm on Y, and K > 0, 0 < a < 1 
are given constants. In other words, we aim at providing 
differential privacy guarantees for transient deviations start¬ 
ing at any time k 0 that subsequently decrease geometrically. 
Note that in [6], [7] the authors consider for the design of a 
differentially private counter an adjacency condition where 
the (scalar) input signals can vary by at most one and at a 
single time period. In comparison, our adjacency condition 
0 greatly enlarges the set of signal deviations associated to 
an individual for which we aim to provide guarantees. 

Differentially private mechanisms necessarily randomize 
their outputs, so that they satisfy the following property. 

Definition 1: Let D be a space equipped with a symmetric 
binary relation denoted Adj, and let (R, Ad) be a measurable 
space. Let e, 5 > 0. A mechanism M : D x fl —> R is (e, <5)- 
differentially private for Adj if for all d, d! £ D such that 
Adj(d,d'), we have 

P (M(d) £ S) < e e P(M(d') £ S) + 5, VS £ M. (5) 

If S = 0, the mechanism is said to be e-differentially private. 
This definition quantifies the allowed deviation for the output 
distribution of a differentially private mechanism, when the 
variations at the input satisfy the adjacency relation. Smaller 
values of e and 8 correspond to stronger privacy guarantees. 
In this paper, the space D was defined as the space of input 
signals y, the adjacency relation considered is ([4]), and the 


output space R is the space of output signals z for the 
observer. We then wish to publish an accurate estimate of 
the state x while satisfying the property of Definition |T| for 
specified values of e and 8. 

C. Sensitivity and Basic Mechanisms 

Enforcing differential privacy can be done by randomly 
perturbing the published output of a system, at the price 
of reducing its utility or quality. Hence, we are interested 
in evaluating as precisely as possible the amount of noise 
necessary to make a mechanism differentially private. For 
this purpose, the following quantity plays an important role. 

Definition 2: Let p be a positive integer. The (j,-sensitivity 
of a system G with m inputs and n outputs with respect to 
the adjacency relation Adj is defined by 

A P G = sup ||Git — Gu'\\p 

Adj(u,u’) 

where by definition ||u|| p = (J^kLo X)"=i \ v k,i\ p ) 1/P for 
v = {ffc}fc>o a vector-valued signal, where Vk £ R" has 
components {ttfc,j}" = i- 

In practice we will be interested in the sensitivity of a system 
for the cases p = 1 and p = 2. The basic mechanisms of 
Theorem [T| below (see [9] for proofs and references), can 
be used to produce differentially private signals. First, we 
need the following definitions. A zero-mean Laplace random 
variable with parameter b has the pdf exp(— \x\/b)/2b, and 
its variance is 2b 2 . The Q-funotion is defined as Q(x) := 
-4= f°° e~^ du. Now for e > 0, 0.5 > <5 > 0, let K = 
Q -1 (<5) and define Kg,e = + y/K 2 + 2e), which can 

be shown to behave roughly as 0(ln(l/<5)) 1//2 /e. 

Theorem 1: Let G be a system with m inputs and n 
outputs. Then the mechanism M(u) = Gu + w, where all 
Wki,k > 0,1 < i < n, are independent Laplace random 
variables with parameter b = (A \G)/e, is e-differentially 
private for Adj. If Wk is instead a white Gaussian noise with 
covariance matrix k 2 e (A 2 G) 2 / n , the mechanism is (e,8)- 
differentially private. 

D. Input and Output Perturbation 

We see that the amount of noise necessary for differential 
privacy with the mechanisms of TheoremjTjis proportional to 
A \G/e or to Kg j£ A 2 G. A very useful additional result stated 
here informally says that post-processing a differentially 
private signal without re-accessing the privacy-sensitive input 
signal does not change the differential privacy guarantee 
[9, Theorem 1]. Now in Theorem |T| the system G can 
simply be the identity, whose l\- and £ 2 - sensitivity for 
the adjacency relation 0 when | ■ |y is the 1-norm or the 
2-norm are K/( 1 — a ) and K/ffl — a 2 respectively. This 
immediately gives a first possible design for our privacy¬ 
preserving observer, simply adding Laplace or Gaussian 
noise directly to the input signal y, see Fig. |T| a). Moreover 
the observer can then be designed to mitigate the effect of 
this input noise, whose distribution is known. We call this 
design an input perturbation mechanism. Note also that for 
a close to 1, can be significantly smaller than 
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Fig. 1. Gaussian mechanisms with input (a) and output (b) perturbation, 
rife represents a zero-mean white Gaussian noise with identity covariance 
matrix. Dashed lines represent a differentially private signal. 


so that sacrificing some S in the privacy guarantee to use the 
^ 2 -sensitivity can provide better accuracy. 

The simple input perturbation mechanism is attractive and 
can perform well. However, it can also potentially exhibit 
the following drawbacks. First, the convergence of nonlinear 
observers is often local and adding noise at the input can 
lead to poor performance and perhaps divergence of the 
estimate from the true trajectory. Second, characterizing the 
output error due to the privacy-preserving noise requires 
understanding how this noise is transformed after passing 
through the nonlinear observer. In general, at the output the 
noise distribution can become multimodal and the noise non 
white and non zero mean, creating in particular a systematic 
bias that can be hard to predict. An alternative is the output 
perturbation mechanism, shown on Fig. |T] b). In this case the 
privacy-preserving noise is added after the observer denoted 
G, which from Theorem [T] requires computing the sensitivity 
of G. In this case we should try to design an observer that has 
both good tracking performance for the state trajectory and 
low sensitivity to reduce the output noise necessary, and we 
focus on this issue in the following. As shown on Fig. |T] b), 
we can also add a smoothing filter at the output to filter out 
the Laplace or Gaussian noise, although this will generally 
affect some transient performance measure of the overall 
system. We do not discuss the design of the smoothing filter 
in this paper. 

Example 1: Consider the memory less system y k 
4>(y k ) = Vk and the adjacency relation (jdj for a = 0, so that 
we have a deviation at a single time period of at most K 
between yk and y k ■ Consider then the Gaussian mechanism, 
and let’s assume Kg, e = 1- For the input perturbation scheme, 
the signal z k = (y k + K£, k ) 2 = y\ + 2 Ky k £ k + K 2 (f. = 
y\ + e k , is differentially private when G is a standard 
Gaussian white noise. In this case, the privacy-preserving 
noise at the input induces a systematic bias at the output 
between z k and y\ equal to E[efc] = E[A' 2 ^] = K 2 . 

III. Contracting Systems 


the noise level necessary for privacy. Contraction theory has 
seen significant developments in the past two decades, see, 
e.g., [11]—[14] and the references therein for references to 
earlier work. In this section, we present some results that we 
rely on later in the paper. Proofs of these results are given 
for completeness, since most results in this area are typically 
stated for continuous-time rather than discrete-time systems. 

Consider a discrete-time system 

Xk+l = fk(Xk): ( 6 ) 

with x k £ X, for all k £ N. Let us denote by <p(k; fco, £o) 
the value at time k > ko of a solution of ([6ji which takes the 
value Xq at time ko. A forward invariant set for the system 
© is a set C C K" such that if xq £ C, then for all fc 0 and 
all k > ko , 4>(k\ fco, xq) £ C. 

Definition 3: Let a be a nonnegative constant. The system 
(Jhji is said to be a-contracting for the norm | • |x on a forward 
invariant set C C X if for any fco £ N and any two initial 
conditions Xo,Xq £ G, we have, for all fc > fc Q , 

1 4>{k\ fc 0 , a: 0 ) - 4>{k\ fco,s 0 )|x < a k ~ k °\x 0 - ® 0 |x- (7) 

Theorem 2: A sufficient condition for the system ([6}i to be 
a-contracting for a norm | ■ |x on a convex forward invariant 
set C is that 


||G fc (s)|| x < a, VseC.VfceN, (8) 

where F k (x) = jpf{x) is the Jacobian matrix of f k at x and 
|| • 11x is the matrix norm induced by | • |x- 

Proof: Consider the path 7(7') = xo + r(x 0 — Xq), 
for r £ [0,1], between the initial conditions Xq and Xq- 
This path is transported into the sequence of functions 
V’fc(f) := ^(fc; fco, 7 (f)). Now define the tangent vectors 
w k (r ) := We obtain immediately 

w k +i( r ) = 

Wk+i(r) = F k (ip k {r)) w k (r), Vr £ [0,1], Vfc > fc 0 . 


Then, with x k = fi(k; ko, Xq) and x k = </>(fc; fco, So), 


|s fe -x k \< \ip k (l) - V’fe(O)! = 


i>k(r)dr 


< 


\w k (r)\dr < a k k ° / |wo(r)|d?" 


= a k ~ k ° 


[ \j'(r)\dr = a k feo |s 0 -So|- 
^0 


For any positive definite matrix P, \x\p = y/x T Px defines 
a norm on X = K”. Specializing the condition of Theorem 
[2] to this norm, we obtain the following result. 

Corollary 1: Let P be a positive definite matrix. A suf¬ 
ficient condition for the system (|6]> to be a-contracting for 
the norm | • |p on a convex forward invariant set C is that 
the following Linear Matrix Inequalities (LMI) are satisfied 


In the rest of the paper we focus on output perturbation F k (x) T PF k {x) A aP, \/x £ C,Wk £ N. 

mechanisms, as described on Fig. |T] b), and we use contrac- Proof: Condition ([8J for the matrix norm induced by 

tion theory to bound the sensitivity AG and hence compute | ■ \p can be rewritten \\DF k (x)D ~ 1 \\2 < a, Va;,Vfc £ N, 













where ||^4 || 2 denotes the induced 2 -norm of the matrix A, i.e., 
its largest singular value, and D is the positive-definite square 
root of P. The equivalence with the LMI is immediate. ■ 

Remark 2: Contraction theory can be developed in a more 
general differential geometric framework [11], [13], which 
we do not use here however, for simplicity of exposition and 
also because some of the needed explicit calculations become 
more difficult, e.g., requiring the computation of non-trivial 
geodesic paths and distances. 

Under conditions such as that of Theorem |2j cascades of 
contracting systems are again contracting [11], [12]. Con¬ 
sider the system (| 6 ]l on X = R" equipped with the norm | • |x, 
and assumes that it satisfies condition ([ 8 ]). Then, consider 
another system z k +i = g k {x k ,z k ) : with Zk & Z = R n 
equipped with the norm | • |z. and assume that we have the 
bounds 


\\G k (x,z)\\ z </3, \/x £ C,\/z £ C'yk £ N, (9) 

\\A k (x,z)\\ xz < K, Vx £ C,Vz € C', Vfc £ N, (10) 

where G k {x,z) = ^(x,z), A k (x,z) = ^(x,z), fi,K are 

nonnegative constants, C is convex and G x C' is forward 
invariant for the coupled system. 

Theorem 3: Under the previous conditions (| 8 j, (|9]), ( [T()| >, 
for any p > 0 the cascade system 


\ x k ~\~x fkixf) 

9k[x k i Zk) 

is 7 -contracting on X x Z for the norm 

\{x T y T ] T \= p\x\ x + \z\z, ( 11 ) 

with 7 = max |a + ^K, /3 j . More precisely, the Jacobian 


of the cascade system J k {x,z) = 
satisfies 


F k (x) 0 
A k (x,z) G k (x, z) 


|| J k+1 (x,z)\\ < 7 , \/x £ C, z £ C', \/k £ N, (12) 


where || • || is the matrix norm induced by the norm ( 111 . 

Proof: Let (v, w) £ R" x R” . Then 


J k+1 (x,z) 


V 

w 


= p\F k (x)v\x + \ A k (x,z)v + B k (x,z)w\z 

< &p\v\x + K\v\x + P\w\z 
= p(a + I</p)\v\x + @\w\z 

< 7 (pMx + |tu|z) = 7 \[v T w T ] T \, 


which proves ©• ■ 

Note that in Theorem [3] we need to choose p large enough 
to satisfy the condition a + < 1 to show that pairwise 

trajectories of the cascade system are effectively converging 
toward each other. We can now prove the following result, 
which will be our main tool in the following. 

Theorem 4: Consider a (contracting) system on X 


X k -\-\ — fkiXk)) 


(13) 


and the modified system 


x k +i = fk{xk) + d k {x k ), (14) 


where d k {xk) denotes a perturbation input. Suppose that 
there exists ko £ N such that d k (x k ) = 0 for k < ko, and 

\d k (x k )\x < Ka k ~ k °,Vh > k 0 , (15) 

for some constants K,a > 0. Finally, suppose that we have 
the contraction condition 


\\J k (x;p)\\x < P, Vp £ [0,1], Vat £ C,Vk > k 0 , (16) 

where C is a convex set that is forward invariant for ( fl3| ) 
and ( fl4| , and 


Jk{x\p) 


dx ryk-ko Q x 


If xq, Xq £ C, then for k > ko, and any p > 0, we have 


| Xk -Xk lx < p{ T k ~ ko - a k ~ k °) + 7 fc - fe °ko - x 0 |x, 


where x k = <fi(k;ko,xo), x k = <p(k;ko,xo) and 7 = 
max |a + /3j . 

Proof: Following the idea in [12, Lemma 4] for 
example, we consider the following cascade system with 
Pk G [0,1] 


Pk+i = apk 

X k +1 — f k (,X k ) -\~ 


v k—k 0 


d k (x k ). 


For the initial condition (0, Xo) at k 0 , we obtain a trajectory 
of the unperturbed system ( fl3j ), whereas for the initial 
condition (l,a;o), we obtain a trajectory of the perturbed 
system ( |T4| ). The scalar p system is o-contracting. For each 
p £ [0,1], the axsystem is ^-contracting by (16 1 . Moreover, 
the differential of the second vector field with resp ect to p 
is d k {x)/ r ) k ~ k °, which is bounded by K from (15 1 . Hence, 
applying the result of Theorem [3] for any p > 0 the overall 
system is contracting with respect to the norm p\p\ + |x| 
(where p £ R, x £ R"), with rate 7 = max |a + /3 j, so 


pa k k ° + |cc fe - x k \x < 7 fc k °(p+ ko ^ a;o|x) 

\x k -Xk\x< Ph k ~ k0 - a k ~ k °) + 7 fe_fe °ko - *o|x. 


Remark 3: Note that if d k is independent of x , then the 
contraction condition m. is simply a contraction condition 


on the original system (131 since 


. dd k (x) 


dx 


= 0 . 


IV. Differentially Private Observers with 
Output Perturbation 


Let us now return to our initial differentially private 
observer design problem with output perturbation. We can 
rewrite the system © in the form z k+l = ( f k {z k ) - 
Lkgk(zk)) + L k y k - For a measured signal y adjacent to y 
according to we then get the observer state trajectory 

Zk -\-1 = (.£&)) + L k y k 

Z k + 1 = ifk{zk) - L k g k {z k )) + L k y k + L k 5 k , (17) 


where S k = y k — y k - We can now use the gain matrices 
L k to attempt to design a contractive observer (in order for 
Zk to converge to Xk), while at the same time minimizing 















the “gain” of the map <5 —» z. The proof of the following 
proposition follows immediately from Theorem [4] 

Proposition 1: Consider the system (|3]>, and two measured 
signals y, y adjacent according to (J4jl Let K' = K x 
sup fc \\L k 11x, y- Suppose also that we have the bound 

H-Pfe(-z) - L k G k (z) ||x </3, Vz G Cyk G N, (18) 

for some constant /?, where F k {z) = ^f(z), G k (z) = 
(z) 5 and C C X is a convex forward invariant set for 
0 and m- Then for the two trajectories z k and z k of ([3]) 
corresponding to the inputs y k and y k (and assuming the 
same initial condition Zo = zo G C for our observer), we 
have for any p > 0 


z fc = z k , Vfc < k 0 

\z k - h\x < pil k ~ ko - a k ~ k °), Vfc > k 0 , 


where 7 = max|a+ and ko is the time period 

where y and y start to potentially differ according to 0 - 

Note in the previous proposition that the choice of L k 
has an impact both on p and 7 . Increasing the gain L k can 
help decrease the contraction rate /3, but at the same time it 
increases K\ forcing us to increase p so that a + K'/p < 1. 
Hence in general we should look to achieve a reasonable 
contraction rate /3 with the smallest gain possible, in order 
to reduce the overall system sensitivity (in the sense of 
Section [Tl-C| ). We conclude this section with two corollaries 
of Proposition |T] providing differentially private observers 
with output perturbation. 

Corollary 2: Consider the signal x k = z k + G- where 
Zfc is computed from 0 , the conditions of Proposition |T] 
are satisfied for the 1-norm on X, and are iid Laplace 
random variables with parameter 



Then this signal x k is e-differentially private for the adja¬ 
cency relation 0 - 

Corollary 3: Let P be a positive definite matrix. Consider 
the signal x k = z k + £ k , where z k is computed from 0 , the 
conditions of Proposition [I] are satisfied for the | • | p norm on 
X, and C.: is a Gaussian white noise with covariance matrix 
(j 2 P _1 , where a = Kg e pB and 


B := 


1/2 


£(7 k -a k r 


< 


t fc>0 


1 

7T^' 


Then this signal x k is (e. ^-differentially private for the 
adjacency relation 0. 

Proof: From the bound of Proposition [I] we deduce 
that Dz k + Q : is a differentially private signal, where Q k is a 
Gaussian white noise with covariance matrix cr 2 I and I) is 
the matrix square root of P. Hence D~ 1 (Dz k + f k ) is also 
differentially private and we defined = D _1 f k . ■ 

We thus have two differentially private mechanisms with 
output perturbation, provided we can design the matrices L k 


to verify the assumptions of Proposition [T] with the 1- or 2- 
norm on X. The next sections provide application examples 
for the methodology. 

V. Example I: Estimating Link Formation 
Preferences in Dynamic Social Networks 

Statistical studies of networks have intensified tremen¬ 
dously in recent years, with one motivating application being 
the emergence of online social networking communities. In 
this section we focus on a state-space model recently pro¬ 
posed in [15] to describe the dynamics of link formation in 
networks, called the Dynamic Stochastic Blockmodel. This 
model combines a linear state-space model for the underlying 
dynamics of the network and the stochastic blockmodel of 
Holland et al. [16], resulting in a nonlinear measurement 
equation. Examples of applications of this model include 
mining email and cell phone databases [15], which obviously 
contain privacy-sensitive data. 

Consider a set of n nodes. Each node corresponds to an 
individual and can belong to one of N classes. Let (// : h be 
the probability of forming an edge at time k between a 
node in class a and a node in class b , and let 0 k denote 
the vector of probabilities [0% b ]i< a ,b<N- For example, edges 
could represent email exchanges or phone conversations. 
Edges are assumed to be formed independently of each other 

h m ab 

according to 9 k . Let yjr = —be the observed density of 
edges between classes a and 6 , where m k b is the number of 
observed edges between classes a and b at time k, and n ab 
is the maximum possible number of edges between these 
two classes. For simplicity, we assume that the quantities 
n ab are publicly known (for example, if the class of each 
node is public information), and we focus on the problem 
of estimating the parameters 9% b using the signals y% b . This 
corresponds to the “a priori” blockmodeling setting in [15], 
[16]. The links formed between specific nodes constitute 
private information however, so directly releasing rn" b or 
y% b or an estimate based on them is not allowed. 

If n ab is large enough, the authors in [15] argue from the 
Central Limit Theorem that an approximate model where y£ b 
is Gaussian is justified, so that 

Vk = 9 k +v k , (20) 

where v k is a Gaussian noise vector with diagonal covari¬ 
ance matrix V k (whose entries theoretically should depend 
on 9 k , but this aspect is neglected in the model). Rather 
than defining a dynamic model for 9 k , whose entries are 
constrained to be between 0 and 1 , let us redefine the state 
vector to be the so-called logit of 9 k , denoted y: k , with entries 
ip% b = In ^gab , which are well defined for 0 < 9% b < 1 . 
The dynamics of tl> k is assumed to be linear 

f) k+1 = Fip k + w k , (21) 

for some known matrix F. The noise vectors uy, are assumed 
to be iid Gaussian with known covariance matrix W in [15]. 
The observation model ( [20] ) now becomes 

Vk = g(i>k) + Vk, 


( 22 ) 









where the components of g are given by the logistic function 
applied to each entry of ip, i.e.. 


9 ab Wk) 


1 

(l + e-V'f)' 


An Extended Kalman Filter (EKF) is proposed in [15] to 
estimate ip, but we pursue here a deterministic observer de¬ 
sign to illustrate the ideas discussed in the previous sections. 
Hence, we consider an observer of the form 


ipk+i = F k ip k + L(y k - g(ip k )) = ( F k ip k - Lg(ip k )) + Ly k , 


with L a constant square gain matrix. To enforce contraction 
as in Proposition [I] we should choose L so that \\F k — 
LG(ip k )\\ < /?, where G(ip) is the Jacobian of g at ip, a 

■ • — ip ^ 

square and diagonal matrix with entries G vl (ip) = + ^ , 

with i indexing the pairs (a, b). The only non-linearity in the 
model ( |2T| , ( |22| comes from the observation model \22\ . 

To simplify the following discussion, let’s assume that F 
is also diagonal (as in [15], where the coupling between 
components occurs only through the non-diagonal covariance 
matrix W). In this case, the systems completely decouple 
into scalar systems, and it is natural to choose L to be 
diagonal as well. The observer for one of these scalar system 
takes the form 

z k +i = fz k + l (y k - 1+ 1 e _ Zk ^j = fz k - 1 + [_ Zk + lyk, 

(23) 


where z k is one component (a, b) of ip k and y k now 
represents just the corresponding scalar component of the 
measurement vector as well. Since the state space X is now 
R, the norm | ■ |x is simply the absolute value. For contraction, 
we wish to impose the condition, for some 0 < P < 1, 


~P<f~ 


le 


i-e., f-/3< 


l e 


(1 + e 2 ) 2 


- Z) 2<P 

(24) 

<f+P • 

(25) 


Now note that 0 < 


- (1+ e e -,)2 < 4 for all 2 . Hence, by 
taking l < 4(/ T- /3), the right hand side of (25 i is satisfied. 


Moreover, for —a < 2 < a, we have 




> b := 


. In this case, by taking l > 


d +e y 2 

of (H5ll is also satisfied. 


f-t 

b 


(1+e 

, the left hand side 


Suppose that we want to design a privacy-preserving 
observer for the interval 9 £ [0.05,0.95], or equivalently 
ip £ [—2.95, 2.95] approximately. In this interval, we have 

p-i’ 


0.0475 < 


(1 + e-^) 


-ib\2 - 


1 

< -. 


Suppose that we have / = 0.95. Then we must have 

f~P 


0.0475 


<Z<4(/ + /3). 


(26) 


In general to reduce the sensitivity we should choose a small 
gain /, which is compatible with ( p 6 | if we choose /? close 
enough to /. Indeed, setting l = (/ — /))/0.0475 and p = 



Fig. 2. Estimate of the edge formation probability 0? , for some classes 
(a, b). The meas ured edge density is generated from one component of the 
model ( |20} , H} with / = 0.95 and w^,v & iid Gaussian random variables 
with zero mean and st anda rd deviation 0.05 and 0.01 respectively. The 
gain l of the observer |23| is set to 0.3. We plot 1/(1 + exp(— z^)) as 
our estimate of 6 where is a 1-differentially private estimate of 
with no postfiltering, for the adjacency relation j4j with parameter values 
detailed in the main text. 

IM/(J3 — a ) in Proposition [T] so that 7 = /3 (assuming (3 > 
a), we can verify that the £1 sensitivity say and thus the noise 
parameter b in ( [19} decreases monotonically as j3 increases 
toward /. However, performance concerns for the observer 
should also dictate the minimum tolerable gain (with a gain 
l = 0 , the observer is perfectly private but is not useful). 

Suppose the disturbance tolerated by the adjacency rela¬ 
tion satisfies the bound 0 with K = 10 3 and a = 0.25. 
That is, for the pair of classes (a, b) under consideration, 
we want to provide a differential privacy guarantee making 
it hard to detect a transient variation in the number of 
created edges, as long as this variation represents initially 
at most 0.1% of all the edges between classes a and 5, and 
subsequently decreases geometrically at rate 1/4. Concretely 
if edges represent phone conversations for example, this 
means that if an individual in class a suddenly increases 
his call volume with class b but by an amount representing 
less than 0 . 1 % of all calls between a and b, and then 
reduces this temporary activity at rate a, detection of this 
event by any means from a differentially private estimate of 
p/ k will necessarily have a low probability of success. If 
a gain l = 0.3 say is judged to be still adequate for the 
application in terms of tracking performance, we can take 
P = f - 0.0475/ « 0.936 and we get b = 6.23 x 10" 3 /e 
in ©• If we publish z k + £ k with £ k a Laplace white 
noise with this parameter b, we obtain an e-differentially 
private estimator of ip k . Figure [2] illustrates the behavior of 
the resulting privacy-preserving observer. 

VI. Example II: Syndromic Surveillance 

Syndromic surveillance systems monitor health related 
data in real-time in a population to facilitate early detection 
of epidemic outbreaks [17], In particular, recent studies have 
shown the correlation between certain non-medical data, e.g., 
search engine queries related to a specific disease, and the 
proportion of individuals infected by this disease in the 
population [18], Although time series analysis can be used 



















to detect abnormal patterns in the collected data [17], here 
we focus on a model-based filtering approach [19], and 
develop a differentially private observer for a 2-dimensional 
epidemiological model. 

The following SIR model of Kermack and McKendrick 
[20], [21] models the evolution of an epidemic in a popu¬ 
lation by dividing individuals into 3 categories: susceptible 
(S), i.e., individuals who might become infected if exposed; 
infectious (I), i.e., currently infected individuals who can 
transmit the infection; and recovered (R) individuals, who 
are immune to the infection. A simple version of the model 
in continuous-time includes bilinear terms and reads 
ds 

— = -pR 0 is 
dt 

di 

— = [M. 0 is - pi. 
dt 

Here i and s represent the proportion of the total population 
in the classes I and S. The last class R need not be included 
in this model because we have the constraint i + s + r = 1. 
The parameter 1Z 0 is called the basic reproduction number 
and represents the average number of individuals infected 
by a sick person. The epidemic can propagate when 1Z 0 > 
1. The parameter p represents the rate at which infectious 
people recover and move to the class R. More details about 
this model can be found in [21], 

Discretizing this model with sampling period r, we get 
the discrete-time model 


&k T T 1Ul,k — fl {$k i ik) T (27) 
ik+l — tfc T T pik(R. 0 Sk 1)3“ ik) T 

(28) 

where we have also introduced noise signals w\ and w -2 in 
the dynamics. We assume here for simplicity that we can 
collect syndromic data providing a noisy measurement of 
the proportion of infected individuals, .i.e.. 


Vk = ik + Vk, 


where Vk is a noise signal. We can then consider the design 
of an observer of the form 


'Sfc+l .fl(,$k i ik) + ll [jjk ik) 
ik+i = /2(sfc, ik) + h(Vk ~ ik)- 


We define the Jacobian matrix of the system ( |27) >, (28 i 

—i —s 


J{s,i) = I 2 + T"/U 0 


i s — 1/lZo 


as well as the gain matrix L = [hjh] 1 and observation 
matrix C = [0,1]. 

Following Corollary [3] and according to Corollary IT] the 
contraction rate constraint ( jl~8| ) for a norm | ■ |p on EC with 
P a positive definite matrix is equivalent to the family of 
inequalities 


( J(s,i) - LC) T P(J(s, i) - LC) A pP 

JlPJ x - Jl PLC - C t L t PJ x + C t L t PLC < pp, 


where we used J x := J(s,i) to simplify the notation. 
Defining the new variable X = PL, this can be rewritten 

Jj PJ X - Jj XC - C T X T J x + C T X T P~ l XC A pp, 


which, using the Schur complement, is equivalent to the 
family of LMIs 

'PP - JZPJ X + J x XC + C T X T J x C T X T ^ 

XC P 


CO, 


(29) 

for all x = ( s, i) in the region where we want to prove 
contraction. If we can find P, X satisfying these inequalities, 
we recover the observer gain matrix simply as L = P _1 X. 

Note that to minimize K' in Proposition [I] we should try 
to minimize ||T||p = L T PL = X T P~ 1 X, or equivalently 
minimize g\ such that the following LMI is satisfied 

'gi x T 
x p 


c o. 


(30) 


However, we should also minimize P -1 , which appears 
in the covariance matrix of the privacy-preserving noise in 
Corollary |3] or equivalently minimize fj 2 subject to 

\g*i I' 

I P 


c o. 


(31) 


In the end, we choose to minimize a cost function of the 
form gi + cr/ 2 , with c a coefficient appropriately tuned to 
balance observer gain and level of privacy-preserving noise. 


subject to the LMI contraints (291, (301 and (31 1 , and P >- 0 


or perhaps P C dI for another constant d if we wish to 
impose a hard upper bound on the noise covariance. 

Example 2: Let’s assume p = 0.1, 1Z 0 = 3, M = 
5 x 10" 4 , a = 0.25 in Q, and e = 2, S = 0.05. That is, 
we wish to provide a (2,0.05)-differential privacy guarantee 
for maximum deviations of 0.05% (see the discussion in 
the previous section). Although not a perfectly rigorous 
contraction certificate, we sample the continuous set of 


constraints (29 1 by sampling the set {(s,i)|0.01 < i < 


0.5,0 < s < 1 — i} at the values of s, i multiple of 0.01, to 
obtain a finite number of LMIs. A more rigorous approach to 
enforce these constraints could make use of sum-of-squares 
programming [22]. Following the procedure above, for the 
choice P = 1 — 10~ 5 , c = 1, we obtain the observer gain 
L = [—0.3657; 0.2951] and the covariance matrix 


o 2 P~ 1 = 


0.3 

- 0.11 


- 0.11 

0.13 


x 10 


-4 


for the Gaussian privacy-preserving noise. A typical sample 
trajectory of the estimate of i is shown on Fig. [3] 


VII. Conclusion 


We have discussed input and output perturbation mecha¬ 
nisms to design model-based nonlinear estimators with dif¬ 
ferential privacy guarantees. In general, we wish to achieve a 
good contraction rate with the smallest gain possible, and in 
fact this idea applies to both types of mechanisms. Future 
work includes comparing quantitatively input and output 
perturbation schemes, and generalizing both by combining 



















Fig. 3. Estimate of the number of infectious people over time produced 
by the observer. The noise standard deviations were set to a Vk =0.02 and 
cr Wk = 0.0lr respectively. The output of the privacy-preserving observer 
is not filtered. 
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